1. Adds benchmarks comparing bcrypt and our pbkdf2 settings
1. Changes the pbkdf2 hash iterations back to 65k. 1024 is insecure
1. Gets rid of the short circuit when the user isn't found, preventing
timing attacks which can reveal which emails exist on a deployment
```
$ go test -bench .
goos: linux
goarch: amd64
pkg: github.com/coder/coder/coderd/userpassword
cpu: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz
BenchmarkBcryptMinCost-16 1651 702727 ns/op 5165 B/op 10 allocs/op
BenchmarkPbkdf2MinCost-16 1669 714843 ns/op 804 B/op 10 allocs/op
BenchmarkBcryptDefaultCost-16 27 42676316 ns/op 5246 B/op 10 allocs/op
BenchmarkPbkdf2-16 26 45902236 ns/op 804 B/op 10 allocs/op
PASS
ok github.com/coder/coder/coderd/userpassword 5.036s
```
This makes setting up git a bit simpler, and users
can always override these values!
We'll probably add a way to disable our Git integration
anyways, so these could be part of that.
This removes split ownership for workspaces. They are now
a resource of organizations and have a designated owner,
which is a user.
This enables simple administration for commands like:
- `coder stop ben/dev`
- `coder build logs colin/arch`
or if we decide to allow administrators to access workspaces,
they could even SSH using this syntax: `coder ssh colin/dev`.
These values were ignored. Environment variables are applied to
new sessions, and are refreshed on reconnect. This is cool because
a workspace could be updated with new environment variables without
requiring a complete start/stop.
The startup script is only ran once regardless of changes, which
feels like the expected behavior.
Sort by uuid in expected output to cover when times are equal
for 2 users. The database (fake & pg) use id as as second ordering
to cover this edge case. Should realistically never happen in
production.
If a workspace is started multiple times, resources may
not be invalidated. This means an auth token can be
reused for a workspace.
coderd closes old agent connections, so this is expected
behavior, and the agent will reconnect properly.
Connections could fail when massive payloads were transmitted.
This fixes an upstream bug in dRPC where the connection would
end with a context canceled if a message was too large.
This adds retransmission of completion and failures too. If
Coder somehow loses connection with a provisioner daemon,
upon the next connection the state will be properly reported.
This PR modfies the original 3-valued cron strings used in package schedule to be traditional 5-valued cron strings.
- schedule.Weekly will validate that the month and dom fields are equal to *
- cli autostart/autostop will attempt to detect local timezone using TZ env var, defaulting to UTC
- cli autostart/autostop no longer accepts a raw schedule -- instead use the --minute, --hour, --dow, and --tz arguments.
- Default schedules are provided that should suffice for most users.
Fixes#993
Summary:
This adds the client-side implementation to match the types introduced
in #879 and #844 as well as a card in the Workspaces page to present
workspace the data.
Details:
* Added a convenient line break in the example schedule.Weekly
* Added missing `json:""` annotations in codersdk/workspaces.go
* Installed cronstrue for displaying human-friendly cron strings
* Adjusted/Added client-side types to match codersdk/workspaces.go
* Added new component WorkspaceSchedule.tsx
Next Steps:
The WorkspaceSchedule.tsx card only presents data (on purpose). In order
to make it PUT/modify data, a few changes will be made:
- a form for updating workspace schedule will be created
- the form will wrapped in a dialog or modal
- the WorkspaceSchedule card will have a way of opening the modal which
will likely be generalized up to WorkspaceSection.tsx
Impact:
This is user-facing
This does not fully resolve either #274 or #275 (I may further decompose
that work to reflect reality and keep things in small deliverable
increments), but adds significant progress towards both.
This PR adds an RBAC package for managing using permissions:
- The top-level `authz.Authorize` function is the main user-facing entrypoint to the package.
- Actual permission evaluation is handled in `policy.rego`.
- Unit tests for `authz.Authorize` are in `authz_test.go`
- Documentation for the package is in `README.md`.
Co-authored-by: Cian Johnston <cian@coder.com>
This was an issue with our in-memory database that caused
newer builds to return an outdated agent, which would then
be rejected.
A test case has been added to ensure this can't happen again!
These were added under the impression that there was significant
user-experience impact if multiple resources share the same name.
This hasn't proven to be true yet, so figured we'd take this out
until it becomes necessary.
* Improve CLI documentation
* feat: Allow workspace resources to attach multiple agents
This enables a "kubernetes_pod" to attach multiple agents that
could be for multiple services. Each agent is required to have
a unique name, so SSH syntax is:
`coder ssh <workspace>.<agent>`
A resource can have zero agents too, they aren't required.
* Add tree view
* Improve table UI
* feat: Allow workspace resources to attach multiple agents
This enables a "kubernetes_pod" to attach multiple agents that
could be for multiple services. Each agent is required to have
a unique name, so SSH syntax is:
`coder ssh <workspace>.<agent>`
A resource can have zero agents too, they aren't required.
* Rename `tunnel` to `skip-tunnel`
This command was `true` by default, which causes
a confusing user experience.
* Add disclaimer about editing templates
* Add help to template create
* Improve workspace create flow
* Add end-to-end test for config-ssh
* Improve testing of config-ssh
* Fix workspace list
* Fix config ssh tests
* Update cli/configssh.go
Co-authored-by: Cian Johnston <public@cianjohnston.ie>
* Fix requested changes
* Remove socat requirement
* Fix resources not reading in TTY
Co-authored-by: Cian Johnston <public@cianjohnston.ie>
This enables a "kubernetes_pod" to attach multiple agents that
could be for multiple services. Each agent is required to have
a unique name, so SSH syntax is:
`coder ssh <workspace>.<agent>`
A resource can have zero agents too, they aren't required.
* Add endpoint for getting build info
* Add build info XService
* Add version with link to page footer
Partially addresses #376.
* Lift buildinfo package
Customer feedback indicated projects was a confusing name.
After querying the team internally, it seemed unanimous
that it is indeed a confusing name.
Here's for a lil less confusion @ashmeer7 🥂
* feat: add crontab package for supporting autostart/stop.
This is basically a small wrapper around robfig/cron/v3.
Fixes#817.
* fixup! feat: add crontab package for supporting autostart/stop. This is basically a small wrapper around robfig/cron/v3.
* fixup! feat: add crontab package for supporting autostart/stop. This is basically a small wrapper around robfig/cron/v3.
* fixup! fixup! feat: add crontab package for supporting autostart/stop. This is basically a small wrapper around robfig/cron/v3.
* fix: return struct instead of interface
* remove unnecessary interface and export struct
* fix: doc comments
* rename package to autostart/schedule
* address PR comments
This didn't actually effect the test value, since we're just looking for
logs. It did produce spam in the logs though, and could be interpreted
as a failure.
